Someone Asked A Question: I Have A Crabby Answer

Recently I was asked on the Black Hat linkedIn group to provide what I thought would be remediations for the issues over information security where the power grid is concerned. I would like to take a larger approach though to an overall security makeover for this country altogether.

While I agree that the nations grid system needs to be “secured” properly, it is the problem du jour in the mass media that has only recently grasped on to this has “sensational” written all over it. What needs to happen though, is that all quarters of cyber insecurities should be examined and remediated as a whole for this country to be carrying out “Due Diligence”

By all quarters I mean that all companies as well as individuals should be more aware of security issues that stem from their owning a computer that has been hooked up to the internet. Companies should, by their very nature, want to secure their networks and machines in order to not lose money through compromise and the FUD that shakes out afterwards if it hits the media. This is not the case though in my experience as an information security specialist. So here are my thoughts on the causes as well as the fixes that I would recommend to best secure our nation. Much of this though is not of a technical nature. You can have all the technology in the world and still be compromised by human nature.. Just ask any Social Engineer.
The Problem: Poor Danger Perception and Cogitation

The problem as I have seen it comes in two flavors. The first being the fact that humans are unable to effectively judge long term threats. With the advent of computers and networking, much of the populace is not only inured to their use, but also the idea that they are in fact magical boxes. Much of our population might as well be Cro Magnon man looking on at the winking hard drive lights as if they were the gift of fire or the arcane steel secrets of Conan’s God Crom.

All too often people just have no clue about how the systems work nor the basic grasp of what they should NOT do on the internet to stay secure. This is why much of the attack vectors have had a paradigm shift in the recent past from a technical aspect to a “social” aspect. With the advent of “Social Phishing or Spear Phishing” the aggressors have begun to exploit human nature much more with those technical vulnerabilities. Just look at Conficker and see how an old exploit has been leveraged because of the “human nature” toward complacency and lackadaisical patching processes.

So, as humans go, we are really poor (scientifically borne out) at the judgement of long term threats as opposed to “fight or flight” which we evolved a great ability to determine and react to the tiger on the Savannah. Digitally, we are more the frog in the pot of water that has been set to boil really. Eventually we will get cooked but oh we will have such a nice bath up until then huh?

In short, until we as a whole get a firm grip on the nature of security on the internet and information security altogether, we will be poorly able to be proactive about securing ourselves and our country. It’s here that I bring you the next topic to consider. Human nature as regards complacency.
The Second Problem: Humans as a whole are complacent and prone to habit

Complacency, ahh what a nice term for LAZY huh? Every time I hear the whine that a user has to remember “another” password or for that matter “A” password that is more than 4 characters long I feel a blood vessel about to burst in my frontal lobes.

“I am sorry, but yes, you do have to use that 2 lbs of gray matter we call a brain to actually remember things ok?”

Much of the attacks out there today rely on the human proclivity to stick to simplistic thought or the inability to fully carry out the administration of systems that they run. The common password no no’s of using your first name, pets name, kid’s birthday etc have been somewhat mitigated now by systems that, if set up properly, will deny these simple passwords. However, all too many times even these measures are not implemented fully if at all at home, never mind in the corporate setting.

The same goes for patching and updating systems. Either you have the auto update on (which may cause you to blue screen anyway if you get a half baked patch ala M$) or you are supposed to be following protocols that may or may not be written into policy at your local Uber Mega corporation. Often even IF they have been written down are they being followed to the letter or at all. Trust me, I know after six years of audits on fortune 500’s.

In essence, the short and long of it is that we, humans, are lazy too. Its too much work to do all the due diligence! Hell, we’d have to spend all kinds of money and all kinds of time on REALLY doing the security due diligence that is required!
“And, well, we have other things to do ya know… I mean hell, Solitaire is time consuming!”

How do we fix this? Well here we come to the last talking point.

Security as MANDATE: The government needs to develop substantive laws and governance over cyber security

Recently senators have proposed legislation that would mandate the U.S. Governments overarching role in the information security of the nation. This would not only be the government and the military, but also stretch to the private sector. The bill in place needs much more work I agree. The language is way too broad and allows for some power grabbing by the president that hearkens back to the last regime’s idea of “Unitary Presidency” and that my friends should scare the crap out of us all.

However, the idea behind the bill is something that I have been advocating for some time. I believe that the government needs to create laws that apply to all sectors of the US “infrastructure” and that those laws should have some tooth to them. What really comes to play here is the determination of just what is considered “infrastructure” and quite frankly I think every corporation in the US should be considered to be under that nomenclature. After all, if you are plugged into the internet, then you are connected bi-directionally to the “infrastructure” and by default a part of it.

The same case could be made to individual users too. After all, where do you think all those Conficker bots come from other than corporations worldwide? Many of them are home users with persistent connection to high speed lines aren’t they? So at the beck and call of the bot herder, all of these users who have no clue about security or administration of their systems are de facto an integral part of the botnet vectors out there. Both corporate and private have become “The Infrastructure” by their connectivity and access to the internet.

Simply, I feel that it is the governments job at this point in time to create laws that have real negative impacts on corporations that do not follow the “best practices” approach to information security. Sure we have had HIPAA and other legislation, but those to date, have had no tooth to them. Nor did the government carry through in actual enforcement of those laws with due diligence. For that I blame the US Government for their inability to enforce their own laws. So where do we go from there? It can be projected out that the Senate and House make the laws and then fail yet again to enforce the new mandates over security. It’s an unfortunately likely scenario given human nature and the ossification of our governance today.
Lets say they pass this set of new laws.. What then?

Well, what then indeed. What I would like to see is a series of laws that are backed up by a special branch of government and corporate entities, a commission, or a department, that would oversee this process. Such a branch would have to have a cabinet post as well as a set series of legal mandates that clearly give it power to create and enforce the information security policies of this nation. Insofar though, we have not seen such an entity. To date, we have a mish mash of groups that are vying for the right to be the top dog on cyber security, including a Czar who recently quit because he could get nothing done. Why couldn’t he get things done? Because too many other entities (DHS/NSA/FBI/DOJ etc) all were too busy infighting to make a cogent decision and implement anything substantive.

The paradigm has to change or nothing will be done to secure our infrastructure. Will that have to be in the form of a “unitary president” laying down the law? It may just have to be so unfortunately. Will it have to be something akin to giving the whole kit and kaboodle to the NSA to run the show? It just might too and that scares a lot of people.

So, the short answers are these for me:
1. Create the laws over cyber security and create an agency to enforce them

2.Define what “infrastructure” really means and just who might be a part of that

3.Enforce the laws with negative impacts to those corporations/entities that do not follow the laws

4.Institute recurring and substantive re-validations of the security at corporations deemed to be “infrastructure”

5. Fine those who are non compliant after an audit unless otherwise agreed upon changes are in progress

6.Raise awareness to all about the risks of information security failures and educate the masses

Without negative impacts aka “law and punishment” we will not have any change with regard to our “cyber” security as a whole I am afraid. After all, we have laws to keep people in line. We have laws for those who buy guns about their use, why not over how corporations, the government, and the people use the “infrastructure” of the telco industry? Let me put it this way.. How many of you out there download MP3’s on BitTorrent even though it is technically against the law?

Yeah, and the law has been wishy washy hasn’t it? Sure a few people have been fined but really, has that stopped anyone? Now just think about if masses of the populace were being severely fined and perhaps imprisoned for MP3 downloads? You’d see a bit of a decline in downloading wouldn’t you? The same thing applies here.

But will it happen?

I have my doubts… We as a people are too lazy, complacent, and perhaps unable to see the bigger security picture as a whole to really do anything about it. If laws are made and agencies created I am sure that the corporate lobbyists will kill them in infancy because it will hurt their bottom line to really be compliant. It will be too much work and money and be seen as a pain in the ass to Joe user who will have to have a 9 character complex password.